topic Issue with stats count with multiple fields in Splunk Search

Issue with stats count with multiple fields

a238574 — Thu, 25 Jul 2019 12:55:13 GMT

I am using the stats count function to get a count of unique events. as part of the list I am want to show additional fields in the Statistics output. When I run my fairly simple query and use |stats count by field1 the numbers look correct. When I use | stats count by field1,field2,field3,field4 The count seems to increase more for each field I add but the strange thing is that the number of Statistics in the results does not change. For my real query I get 990 events and 142 entries on the Statistics tab for every search no matter how many fields I use in the stats count but the count for each statistic in the list grows every time I add a field.

Re: Issue with stats count with multiple fields

vnravikumar — Thu, 25 Jul 2019 15:28:50 GMT

Try like

|stats count,  list(field2)  as field2,list(field3) as field3,list(field4) as field4 by field1

Re: Issue with stats count with multiple fields

a238574 — Fri, 26 Jul 2019 12:37:48 GMT

Did some more testing trying to figure out why the count was increasing and my results got worse. I made a simple search looking to produce a set of results where the field I count by should equal the number of events...

index=x accountid=123456789 | stats count by accountid

The search returns 936 events but the count is 1248.... how does it get to 1248 from 936 events

Re: Issue with stats count with multiple fields

a238574 — Fri, 26 Jul 2019 15:37:38 GMT

That produces a multi line output for each unique event